SUSE-CU-2020:709-1: Security update of ses/7/rook/ceph

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Nov 26 00:20:48 MST 2020


SUSE Container Update Advisory: ses/7/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:709-1
Container Tags        : ses/7/rook/ceph:1.4.7 , ses/7/rook/ceph:1.4.7.6 , ses/7/rook/ceph:1.4.7.6.1.1378 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus
Container Release     : 1.1378
Severity              : important
Type                  : security
References            : 1160790 1161088 1161089 1161670 1174232 1174593 1176116 1176256
                        1176257 1176258 1176259 1177458 1177490 1177510 1177699 1177858
                        1177864 1177939 1178387 1178512 1178727 CVE-2019-16785 CVE-2019-16786
                        CVE-2019-16789 CVE-2019-16792 CVE-2020-15166 CVE-2020-25692 CVE-2020-28196
-----------------------------------------------------------------

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3264-1
Released:    Tue Nov 10 09:50:29 2020
Summary:     Security update for zeromq
Type:        security
Severity:    moderate
References:  1176116,1176256,1176257,1176258,1176259,CVE-2020-15166
This update for zeromq fixes the following issues:

- CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116).
- Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256)
- Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257)
- Fixed memory leak when processing PUB messages with metadata (bsc#1176259)
- Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3269-1
Released:    Tue Nov 10 15:57:24 2020
Summary:     Security update for python-waitress
Type:        security
Severity:    moderate
References:  1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792
This update for python-waitress to 1.4.3 fixes the following security issues:

- CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088).
- CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089).
- CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790).
- CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3301-1
Released:    Thu Nov 12 13:51:02 2020
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1177939
This update for openssh fixes the following issues:

- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3307-1
Released:    Thu Nov 12 14:17:55 2020
Summary:     Recommended update for rdma-core
Type:        recommended
Severity:    moderate
References:  1177699
This update for rdma-core fixes the following issue:

- Move rxe_cfg to libibverbs-utils. (bsc#1177699)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3510-1
Released:    Wed Nov 25 07:38:02 2020
Summary:     Recommended update for rook
Type:        recommended
Severity:    moderate
References:  
This update for rook fixes the following issues:

rook was updated to v1.4.7

* Ceph

    * Log warning about v14.2.13 being an unsupported Ceph version due to
      errors creating new OSDs (#6545)
    * Disaster recovery guide for PVCs (#6452)
    * Set the deviceClass for OSDs in non-PVC clusters (#6545)
    * External cluster script to fail if prometheus port is not default (#6504)
    * Remove the osd pvc from the osd purge job (#6533)
    * External cluster script added additional checks for monitoring
      endpoint (#6473)
    * Ignore Ceph health error MDS_ALL_DOWN during reconciliation (#6494)
    * Add optional labels to mon pods (#6515)
    * Assert type for logging errors before using it (#6503)
    * Check for orphaned mon resources with every reconcile (#6493)
    * Update the mon PDBs if the maxUnavailable changed (#6469)

* NFS

    * Update documentation and examples (#6455)



More information about the sle-updates mailing list